Sep 14 2009 1:49PM GMT
Posted by: Troy Tate
Microsoft,
information security,
vulnerability,
risk management,
patches,
tcp-ip,
tcp,
tcp/ip,
Windows,
windows 2000,
support,
Microsoft support,
threat,
risk
Last week was the September issue of Microsoft “patch Tuesday”. The September 2009 Microsoft Security Bulletin lists a number of vulnerabilities. Microsoft held the bulletin webcast on Wednesday, September 9, to discuss the vulnerabilities and customer concerns.
One particular bulletin is creating some concerns for Microsoft Windows 2000 users. MS09-048 is a bulletin for a vulnerability to the TCP/IP stack in all current supported versions of Windows. The bulletin describes the vulnerability:
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Even though the bulletin here describes it as potential remote code execution, the webcast focused more on the denial of service threat due to this vulnerability. Unfortunately, Microsoft has chosen to not issue a patch for Windows 2000, even though Windows 2000 is a supported version of Windows with regards to patches and security fixes. ComputerWorld gives a good amount of detail in the article: Microsoft: Patching Windows 2000 ‘infeasible’ Dark Reading published Microsoft, Cisco Issue Defenses For TCP Denial-Of-Service Attack and The Register published Microsoft, Cisco issue patches for newfangled DoS exploit.
I know that there is a reasonable population of Windows 2000 machines in operation at my organization. So, this choice by Microsoft to not issue a patch for this vulnerability raises some concerns. Fortunately the vulnerable population is not publicly exposed and does not have mobile users. The layered defenses we have in place should help mitigate the risks to our environment. However, the risk is still there and the threat needs to be addressed. What other vulnerability will come out that Microsoft chooses not to address in a supported operating system? Are you facing the same situation in your environment? How large is the risk to your environment? What are you doing to address these threats? Why are you doing what you are doing? Share your thoughts with other ITKE readers.
Thanks for reading & let’s continue to be good network citizens.
May 11 2009 2:28PM GMT
Posted by: Troy Tate
disaster recovery,
disaster prepareness,
business continuity,
business continuity planning,
bcp,
dr,
information security,
standards,
education,
enterprise risk management,
erm,
risk management,
crisis management,
crisis planning,
crisis communication
If you are involved in IT you should also be involved in the disaster recovery planning and operations for your organization. There are quite a few resources to help with this activity. A very good free one just came across my desk that I wanted to share with you.
It is called the Disaster Resource Guide. It is a free quarterly publication to US mailing addresses. The guide covers six content categories:
- Planning and Management
- Human Concerns
- Information Availability and Security
- Telecom and Satcom
- Facility Issues
- Crisis Communications and Response
The guide has been published since 1995. There are three specialty issues printed each year that go deeper into a single content category. To subscribe visit http://www.disaster-resource.com/renew.
Some topics of the articles in the 2008-2009 edition:
Where Does Business Continuity Planning Belong in an Organization?
NFPA 1600 or BS25999? … Why Not Both?
Using Standards to Get Immediate Value for Your Organization
The Mouse in the Room: “Where’s the Planning for People?”
May your disaster preparations pay off but may the disaster not strike that you have not planned for. Thanks for reading & let’s continue to be good network citizens!
Apr 29 2009 11:55AM GMT
Posted by: Troy Tate
change management,
ITIL,
operations,
staff reduction,
skill management,
staffing issues,
documentation,
risk,
risk management
I am an optimist by nature. I always look for the positive in everything. However, that is sometimes a challenge in today’s economic environment. There is a time when you have to be a realist and see the situation for what it is. Continued »
Apr 27 2009 7:22PM GMT
Posted by: Troy Tate
business continuity,
business continuity planning,
continuity planning,
environment,
hardware,
remote access,
pandemic,
planning,
recovery,
risk,
risk management,
risks,
Pandemic planning
I’m not the kind to run around thinking the sky is falling or that the swine or bird flu risk is non-existent. I take a lot of these warnings with a grain of salt. However, the pandemic watches of the past few years should obviously have organizations thinking about their risks and business continuity plans. In fact, my organization has a few sites in Mexico and along the border with Mexico. So, this situation has the potential to directly affect our employees.
I wanted to bring your attention to a recent posting on the excellent SANS organization website about the pandemic watch of 2009. This posting is titled Pandemic Watch April 2009. This has very good explanations of the current situation and the potential health risks.
The section that I think is most appropriate to IT folks (actually to everyone) describes a skeleton plan for companies to help deal with the situation. The following is an excerpt from the SANS website.
Don’t Panic!
Initial monitoring stage (where we are right now)
* If you’re sick, stay home
* Family is sick, stay home
* Close contact with someone showing symptoms, stay home
* Wash your hands, cover your cough
Then, if multiple cases in your area,
* Think about telling non-essential workers to stay home
* Recommend workers take kids out of daycare
Pandemic stage
* Everyone will be staying home, how will you handle it?
* Do you have enough laptops?
* Can your VPN concentrators handle the load
I would recommend taking some time to read the summary about the health risks of the various flu strains. Let’s continue to keep our thoughts and best wishes for those who have already been affected by this most recent health issue.
Thanks for reading and let’s continue to be good network citizens - stay healthy too and if you are not healthy, then please contact a health care organization as soon as you can. Get well soon!
Feb 24 2009 3:14PM GMT
Posted by: Troy Tate
risk,
financial analysis,
information security,
technology,
measurement,
Monitoring,
risk management
I have written before about IT being an accelerator for the financial crisis. Another recent article, this time from Wired called Recipe for Disaster: The Formula That Killed Wall Street, seems to show how extremely complex risk measurement is and how someone tried to design a model to express that risk. It is the same for information security professionals. Take some time, read the Wired article and substitute the words “information security” where the word “finance” is used. See if it mirrors the current information security risk situation today. It may shed some light on how complex the situation has become and what the impact may be if something is not done by security professionals to head off an information security meltdown - but wait… are we already there with some of the botnets, conflicker, etc.? Let me know your thoughts on this.
Thanks for your time and let’s continue to be good network citizens!
